api: return error if login or api_key params are given but blank.
* Make it an error to supply empty API credentials, like this: `https://danbooru.donmai.us/posts.json?login=&api_key=`. Some clients did this for some reason. * Make it so that the `login` and `api_key` params are only allowed as URL params, not as POST or PUT body params. Allowing them as body params could interfere with the `PUT /api_keys/:id` endpoint, which takes an `api_key` param.
This commit is contained in:
evazion
@@ -16,7 +16,7 @@ class SessionLoader
|
|||||||
def initialize(request)
|
def initialize(request)
|
||||||
@request = request
|
@request = request
|
||||||
@session = request.session
|
@session = request.session
|
||||||
@params = request.parameters
|
@params = request.query_parameters
|
||||||
end
|
end
|
||||||
|
|
||||||
# Attempt to log a user in with the given username and password. Records a
|
# Attempt to log a user in with the given username and password. Records a
|
||||||
@@ -90,7 +90,7 @@ class SessionLoader
|
|||||||
|
|
||||||
# @return [Boolean] true if the current request has an API key
|
# @return [Boolean] true if the current request has an API key
|
||||||
def has_api_authentication?
|
def has_api_authentication?
|
||||||
request.authorization.present? || params[:login].present? || (params[:api_key].present? && params[:api_key].is_a?(String))
|
request.authorization.present? || params.has_key?(:login) || params.has_key?(:api_key)
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|||||||
@@ -165,19 +165,27 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest
|
|||||||
end
|
end
|
||||||
|
|
||||||
should "fail for api key mismatches" do
|
should "fail for api key mismatches" do
|
||||||
get profile_path, as: :json, params: { login: @user.name }
|
get profile_path(login: @user.name), as: :json
|
||||||
assert_response 401
|
assert_response 401
|
||||||
|
|
||||||
get profile_path, as: :json, params: { api_key: @api_key.key }
|
get profile_path(api_key: @api_key.key), as: :json
|
||||||
assert_response 401
|
assert_response 401
|
||||||
|
|
||||||
get profile_path, as: :json, params: { login: @user.name, api_key: "bad" }
|
get profile_path(login: @user.name, api_key: "bad"), as: :json
|
||||||
|
assert_response 401
|
||||||
|
end
|
||||||
|
|
||||||
|
should "fail for a blank API key" do
|
||||||
|
get profile_path(login: ""), as: :json
|
||||||
|
assert_response 401
|
||||||
|
|
||||||
|
get profile_path(api_key: ""), as: :json
|
||||||
assert_response 401
|
assert_response 401
|
||||||
end
|
end
|
||||||
|
|
||||||
should "succeed for non-GET requests without a CSRF token" do
|
should "succeed for non-GET requests without a CSRF token" do
|
||||||
assert_changes -> { @user.reload.enable_safe_mode }, from: false, to: true do
|
assert_changes -> { @user.reload.enable_safe_mode }, from: false, to: true do
|
||||||
put user_path(@user), params: { login: @user.name, api_key: @api_key.key, user: { enable_safe_mode: "true" } }, as: :json
|
put user_path(@user, login: @user.name, api_key: @api_key.key), params: { user: { enable_safe_mode: "true" }}, as: :json
|
||||||
assert_response :success
|
assert_response :success
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
@@ -220,16 +228,16 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest
|
|||||||
@post = create(:post)
|
@post = create(:post)
|
||||||
@api_key = create(:api_key, permissions: ["posts:index", "posts:show"])
|
@api_key = create(:api_key, permissions: ["posts:index", "posts:show"])
|
||||||
|
|
||||||
get posts_path, params: { login: @api_key.user.name, api_key: @api_key.key }
|
get posts_path(login: @api_key.user.name, api_key: @api_key.key)
|
||||||
assert_response :success
|
assert_response :success
|
||||||
|
|
||||||
get post_path(@post), params: { login: @api_key.user.name, api_key: @api_key.key }
|
get post_path(@post, login: @api_key.user.name, api_key: @api_key.key)
|
||||||
assert_response :success
|
assert_response :success
|
||||||
|
|
||||||
get tags_path, params: { login: @api_key.user.name, api_key: @api_key.key }
|
get tags_path(login: @api_key.user.name, api_key: @api_key.key)
|
||||||
assert_response 403
|
assert_response 403
|
||||||
|
|
||||||
put post_path(@post), params: { login: @api_key.user.name, api_key: @api_key.key, post: { rating: "s" }}
|
put post_path(@post, login: @api_key.user.name, api_key: @api_key.key), params: { post: { rating: "s" }}
|
||||||
assert_response 403
|
assert_response 403
|
||||||
|
|
||||||
assert_equal(4, @api_key.reload.uses)
|
assert_equal(4, @api_key.reload.uses)
|
||||||
|
|||||||
@@ -11,6 +11,7 @@ class SessionLoaderTest < ActiveSupport::TestCase
|
|||||||
@request.stubs(:cookie_jar).returns({})
|
@request.stubs(:cookie_jar).returns({})
|
||||||
@request.stubs(:cookies).returns({})
|
@request.stubs(:cookies).returns({})
|
||||||
@request.stubs(:parameters).returns({})
|
@request.stubs(:parameters).returns({})
|
||||||
|
@request.stubs(:query_parameters).returns({})
|
||||||
@request.stubs(:session).returns({})
|
@request.stubs(:session).returns({})
|
||||||
@request.stubs(:headers).returns({})
|
@request.stubs(:headers).returns({})
|
||||||
SessionLoader.any_instance.stubs(:initialize_session_cookies)
|
SessionLoader.any_instance.stubs(:initialize_session_cookies)
|
||||||
|
|||||||
Reference in New Issue
Block a user